search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

Consider adding disallowToken instead of only allowToken function #98

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L364

Vulnerability details

Impact

The absence of a disallowToken function in the "PrelaunchPoints" smart contract could potentially lead to various risks and limitations:

Inability to remove unsupported or problematic tokens from the contract's list of supported tokens.

Proof of Concept

/**
 * @notice Disallows a token from being used within the contract
 * @param _token The address of the token to disallow
 * @dev Only the contract owner can call this function
 */
function disallowToken(address _token) external onlyAuthorized {
    isTokenAllowed[_token] = false;
}

Tools Used

Visual Studio Code

Recommended Mitigation Steps

Design the disallowToken function to allow the contract owner to remove specific tokens from the list of supported tokens.

Assessed type

Context

0xd4n1el commented 3 months ago

This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner

c4-judge commented 3 months ago

koolexcrypto changed the severity to QA (Quality Assurance)

c4-judge commented 3 months ago

This previously downgraded issue has been upgraded by koolexcrypto

c4-judge commented 3 months ago

koolexcrypto marked the issue as primary issue

c4-judge commented 3 months ago

koolexcrypto marked the issue as duplicate of #90

c4-judge commented 3 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid